Topics

Aggregating SSH logs from your servers into SumoLogic

Jan 4, 2017
by
Sasha Klizhentas

This tutorial is for Linux administrators who want to collect the SSH security
events (SSH sessions, authentication attempts and so on) from their servers into
a centralized location. The benefits of doing this are:

Easily search for “who did what and when?”

Configure alerts to go off when something bad happens.

This tutorial uses SumoLogic for storing and searching the aggregated logs and our
Teleport SSH Server. One of the benefits of Teleport is that, unlike
standard SSH logs providing only OS logins and client IPs, Teleport also knows and keeps track of the identity
of a user and can integrate into popular identity providers and tools.

Overview

Teleport aggregates all events from all machines and stores them on its “auth server” by default.
All that is left to do is to export them into SumoLogic.